Azure 负载均衡器的概念Azure Load Balancer concepts

负载均衡器针对 UDP 和 TCP 应用程序提供了多种功能。Load balancer provides several capabilities for both UDP and TCP applications.

负载均衡算法Load balancing algorithm

你可以创建负载均衡规则,以将来自前端的流量分配到后端池。You can create a load-balancing rule to distribute traffic from the frontend to a backend pool. Azure 负载均衡器使用哈希算法来分配入站流(非字节)。Azure Load Balancer uses a hashing algorithm for distribution of inbound flows (not bytes). 负载均衡器会重写发往后端池实例的流的标头。Load balancer rewrites the headers of flows to backend pool instances. 当运行状况探测指示后端终结点正常时,可以使用一个服务器来接收新流量。A server is available to receive new flows when a health probe indicates a healthy back-end endpoint.

默认情况下,负载均衡器使用五元组哈希。By default, Load balancer uses a Five-tuple hash.

哈希包括:The hash includes:

  • 源 IP 地址Source IP address
  • 源端口Source port
  • 目标 IP 地址Destination IP address
  • 目标端口Destination port
  • 用于将流映射到可用服务器的 IP 协议号IP protocol number to map flows to available servers

与源 IP 地址的关联是使用二元组或三元组哈希创建的。Affinity to a source IP address is created by using a two or three-tuple hash. 同一个流的数据包将会抵达负载均衡前端后面的同一实例。Packets of the same flow arrive on the same instance behind the load-balanced front end.

当客户端从同一源 IP 启动新流时,源端口将会更改。The source port changes when a client starts a new flow from the same source IP. 因此,五元组哈希可能会导致流量定向到不同的后端终结点。As a result, the five-tuple hash might cause the traffic to go to a different backend endpoint. 有关详细信息,请参阅配置 Azure 负载均衡器的分配模式For more information, see Configure the distribution mode for Azure Load Balancer.

下图显示了基于哈希的分配:The following image displays the hash-based distribution:

基于哈希的分发

图:基于哈希的分发Figure: Hash-based distribution

应用程序独立性和透明度Application independence and transparency

负载均衡器不直接与 TCP、UDP 或应用程序层进行交互。Load balancer doesn't directly interact with TCP or UDP or the application layer. 可以支持任何 TCP 或 UDP 应用程序方案。Any TCP or UDP application scenario can be supported. 负载均衡器不会关闭或发起流,也不会与流的有效负载进行交互。Load balancer doesn't close or originate flows or interact with the payload of the flow. 负载均衡器不提供任何应用程序层网关功能。Load balancer doesn't provide application layer gateway functionality. 协议握手始终直接在客户端与后端池实例之间进行。Protocol handshakes always occur directly between the client and the back-end pool instance. 对入站流做出的响应始终是来自虚拟机的响应。A response to an inbound flow is always a response from a virtual machine. 当流抵达虚拟机时,也会保留原始的源 IP 地址。When the flow arrives on the virtual machine, the original source IP address is also preserved.

  • 每个终结点由某个 VM 应答。Every endpoint is answered by a VM. 例如,TCP 握手在客户端与选定的后端 VM 之间发生。For example, a TCP handshake occurs between the client and the selected back-end VM. 对前端请求做出的响应是后端 VM 生成的响应。A response to a request to a front end is a response generated by a back-end VM. 成功验证与前端的连接后,将会验证与至少一个后端虚拟机的整个连接。When you successfully validate connectivity to a front end, you're validating the connectivity throughout to at least one back-end virtual machine.
  • 应用程序有效负载对于负载均衡器是透明的。Application payloads are transparent to the load balancer. 可以支持任何 UDP 或 TCP 应用程序。Any UDP or TCP application can be supported.
  • 由于负载均衡器不会与 TCP 有效负载进行交互并提供了 TLS 卸载,因此你可以构建全面的加密方案。Because the load balancer doesn't interact with the TCP payload and provide TLS offload, you can build comprehensive encrypted scenarios. 使用负载均衡器可通过在 VM 自身上终止 TLS 连接来实现 TLS 应用程序的大规模横向扩展。Using load balancer gains large scale-out for TLS applications by ending the TLS connection on the VM itself. 例如,将会根据添加到后端池的 VM 类型和数目限制 TLS 会话密钥容量。For example, your TLS session keying capacity is only limited by the type and number of VMs you add to the back-end pool.

出站连接Outbound connections

从后端池到公共 IP 的流将映射到前端。Flows from the backend pool to public IPs are mapped to the frontend. Azure 通过负载均衡出站规则将出站连接转换为公共前端 IP 地址。Azure translates outbound connections to the public frontend IP address via the load-balancing outbound rule. 此配置具有以下优点。This configuration has the following advantages. 可以轻松地对服务进行升级和灾难恢复操作,因为前端可以动态映射到服务的其他实例。Easy upgrade and disaster recovery of services, because the front end can be dynamically mapped to another instance of the service. 简化了访问控制列表 (ACL) 管理。Easier access control list (ACL) management. 以前端 IP 表示的 ACL 不会随着服务的缩放或重新部署而更改。ACLs expressed as front-end IPs don't change as services scale up or down or get redeployed. 将出站连接转换为较小数量的 IP 地址而不是计算机,可以减少实施安全收件人列表的负担。Translating outbound connections to a smaller number of IP addresses than machines reduces the burden of implementing safe recipient lists. 若要详细了解源网络地址转换 (SNAT) 和 Azure 负载均衡器,请参阅 SNAT 和 Azure 负载均衡器To learn more about Source Network Address Translation (SNAT) and Azure Load Balancer, see SNAT and Azure Load Balancer.

HA 端口HA ports

你可以配置 HA 端口负载均衡规则,让应用程序可缩放,并且变得高度可靠。You can configure HA port load-balancing rules to make your application scale and be highly reliable. 这些规则在内部负载均衡器前端 IP 的短生存期端口上为每个流提供负载均衡。Load balancing per flow on short-lived ports of the internal load balancer's frontend IP is provided by these rules. 无法或不需要指定各个端口时,该功能很有用。The feature is useful when it's impractical or undesirable to specify individual ports. HA 端口规则允许创建主动-被动或主动-主动 n+1 方案。An HA ports rule allows you to create active-passive or active-active n+1 scenarios. 这些方案适用于网络虚拟设备以及任何需要大范围入站端口的应用程序。These scenarios are for network virtual appliances and any application, which requires large ranges of inbound ports. 可以使用运行状况探测来确定哪些后端应当接收新流。A health probe can be used to determine which back-ends should be receiving new flows. 可使用网络安全组模拟端口范围方案。You can use a Network Security Group to emulate a port range scenario. 基本负载均衡器不支持 HA 端口。Basic load balancer doesn't support HA Ports. 请查看有关 HA 端口的详细讨论Review detailed discussion of HA Ports.

多个前端Multiple frontends

负载均衡器支持具有多个前端的多个规则。Load balancer supports multiple rules with multiple frontends. 标准负载均衡器将此功能扩展到了出站方案。Standard Load Balancer expands this capability to outbound scenarios. 出站规则与入站规则相反。Outbound rules are the inverse of an inbound rule. 出站规则创建出站连接的关联。The outbound rule creates an association for outbound connections. 标准负载均衡器通过负载均衡规则使用与虚拟机资源关联的所有前端。Standard load balancer uses all frontends associated with a virtual machine resource through a load-balancing rule. 此外,负载均衡规则中的参数允许为了出站连接取消负载均衡规则,并允许选择特定前端(包括无前端)。Additionally, a parameter on the load-balancing rule allows you to suppress a load-balancing rule for the purposes of outbound connectivity, which allows the selection of specific frontends including none. 与之相对的是,基本负载均衡器随机选择单个前端。For comparison, Basic load balancer selects a single frontend at random. 无法控制选择哪一个前端。There isn't an ability to control which frontend was selected.

浮动 IPFloating IP

在某些应用程序场景中,后端池中单个 VM 上的多个应用程序实例更需要或要求使用相同端口。Some application scenarios prefer or require the same port to be used by multiple application instances on a single VM in the backend pool. 重复使用端口的常见示例包括提供高可用性群集、网络虚拟设备,以及公开多个不重新加密的 TLS 终结点。Common examples of port reuse include clustering for high availability, network virtual appliances, and exposing multiple TLS endpoints without re-encryption. 如果想要在多个规则中重复使用后端端口,必须在规则定义中启用浮动 IP。If you want to reuse the backend port across multiple rules, you must enable Floating IP in the rule definition.

“浮动 IP”是 Azure 的术语,表示是所谓的直接服务器返回 (DSR) 的一部分。Floating IP is Azure's terminology for a portion of what is known as Direct Server Return (DSR). DSR 由两个部分组成:DSR consists of two parts:

  • 流拓扑Flow topology
  • IP 地址映射方案An IP address mapping scheme

在平台级别,Azure 负载均衡器始终在 DSR 流拓扑中运行,无论是否已启用浮动 IP。At a platform level, Azure Load Balancer always operates in a DSR flow topology regardless of whether Floating IP is enabled or not. 这意味着,流的出站部分始终正确重写为直接流回到来源。This means that the outbound part of a flow is always correctly rewritten to flow directly back to the origin. 如果不使用浮动 IP,则 Azure 将公开传统的负载均衡 IP 地址映射方案以便于使用(VM 实例的 IP)。Without Floating IP, Azure exposes a traditional load balancing IP address mapping scheme for ease of use (the VM instances' IP). 启用浮动 IP 会更改负载均衡器前端 IP 的 IP 地址映射,以实现更大的灵活性。Enabling Floating IP changes the IP address mapping to the Frontend IP of the load Balancer to allow for additional flexibility. 此处了解更多信息。Learn more here.

限制Limitations

  • 对于内部负载均衡方案,辅助 IP 配置当前不支持浮动 IP。Floating IP is not currently supported on secondary IP configurations for Internal Load Balancing scenarios.

  • 负载均衡器规则不能跨越两个虚拟网络。A load balancer rule can't span two virtual networks. 前端及其后端实例必须位于同一个虚拟网络中。Frontends and their backend instances must be located in the same virtual network.

  • 没有虚拟网络和其他 Microsoft 平台服务的 Web 辅助角色只能从内部标准负载均衡器后面的实例进行访问。Web Worker Roles without a virtual network and other Microsoft platform services can be accessible from instances behind only a Standard internal Load balancer. 请勿依赖此辅助功能,因为相应的服务本身或底层平台可能会在不通知的情况下进行更改。Don't rely on this accessibility, as the respective service itself or the underlying platform can change without notice. 如果在使用标准内部负载均衡器时需要出站连接,必须配置出站连接If outbound connectivity is required when using a standard internal load balancer, outbound connectivity must be configured.

  • 负载均衡器针对特定的 TCP 或 UDP 协议提供了负载均衡和端口转发。Load balancer provides load balancing and port forwarding for specific TCP or UDP protocols. 负载均衡规则和入站 NAT 规则支持 TCP 和 UDP,但不支持其他 IP 协议(包括 ICMP)。Load-balancing rules and inbound NAT rules support TCP and UDP, but not other IP protocols including ICMP.

  • 从后端 VM 到内部负载均衡器前端的出站流将会失败。Outbound flow from a backend VM to a frontend of an internal Load Balancer will fail.

  • 负载均衡规则不支持转发 IP 片段。Forwarding IP fragments isn't supported on load-balancing rules. 负载均衡规则不支持 UDP 和 TCP 数据包的 IP 片段。IP fragmentation of UDP and TCP packets isn't supported on load-balancing rules. HA 端口负载均衡规则可用于转发现有 IP 片段。HA ports load-balancing rules can be used to forward existing IP fragments. 有关详细信息,请参阅高可用性端口概述For more information, see High availability ports overview.

后续步骤Next steps